
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.3.5 release notes &#8212; Django 1.11.22.dev20190603194737 documentation</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Django 1.3.4 release notes" href="1.3.4.html" />
    <link rel="prev" title="Django 1.3.6 release notes" href="1.3.6.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.11.22.dev20190603194737 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.3.6.html" title="Django 1.3.6 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.3.4.html" title="Django 1.3.4 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.3.5">
            
  <div class="section" id="s-django-1-3-5-release-notes">
<span id="django-1-3-5-release-notes"></span><h1>Django 1.3.5 release notes<a class="headerlink" href="#django-1-3-5-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>December 10, 2012</em></p>
<p>Django 1.3.5 addresses two security issues present in previous Django releases
in the 1.3 series.</p>
<p>Please be aware that this security release is slightly different from previous
ones. Both issues addressed here have been dealt with in prior security updates
to Django. In one case, we have received ongoing reports of problems, and in
the other we’ve chosen to take further steps to tighten up Django’s code in
response to independent discovery of potential problems from multiple sources.</p>
<div class="section" id="s-host-header-poisoning">
<span id="host-header-poisoning"></span><h2>Host header poisoning<a class="headerlink" href="#host-header-poisoning" title="Permalink to this headline">¶</a></h2>
<p>Several earlier Django security releases focused on the issue of poisoning the
HTTP Host header, causing Django to generate URLs pointing to arbitrary,
potentially-malicious domains.</p>
<p>In response to further input received and reports of continuing issues
following the previous release, we’re taking additional steps to tighten Host
header validation. Rather than attempt to accommodate all features HTTP
supports here, Django’s Host header validation attempts to support a smaller,
but far more common, subset:</p>
<ul class="simple">
<li>Hostnames must consist of characters <code class="docutils literal notranslate"><span class="pre">[A-Za-z0-9]</span></code> plus hyphen (‘-‘) or dot
(‘.’).</li>
<li>IP addresses – both IPv4 and IPv6 – are permitted.</li>
<li>Port, if specified, is numeric.</li>
</ul>
<p>Any deviation from this will now be rejected, raising the exception
<a class="reference internal" href="../ref/exceptions.html#django.core.exceptions.SuspiciousOperation" title="django.core.exceptions.SuspiciousOperation"><code class="xref py py-exc docutils literal notranslate"><span class="pre">django.core.exceptions.SuspiciousOperation</span></code></a>.</p>
</div>
<div class="section" id="s-redirect-poisoning">
<span id="redirect-poisoning"></span><h2>Redirect poisoning<a class="headerlink" href="#redirect-poisoning" title="Permalink to this headline">¶</a></h2>
<p>Also following up on a previous issue: in July of this year, we made changes to
Django’s HTTP redirect classes, performing additional validation of the scheme
of the URL to redirect to (since, both within Django’s own supplied
applications and many third-party applications, accepting a user-supplied
redirect target is a common pattern).</p>
<p>Since then, two independent audits of the code turned up further potential
problems. So, similar to the Host-header issue, we are taking steps to provide
tighter validation in response to reported problems (primarily with third-party
applications, but to a certain extent also within Django itself). This comes in
two parts:</p>
<p>1. A new utility function, <code class="docutils literal notranslate"><span class="pre">django.utils.http.is_safe_url</span></code>, is added; this
function takes a URL and a hostname, and checks that the URL is either
relative, or if absolute matches the supplied hostname. This function is
intended for use whenever user-supplied redirect targets are accepted, to
ensure that such redirects cannot lead to arbitrary third-party sites.</p>
<p>2. All of Django’s own built-in views – primarily in the authentication system
– which allow user-supplied redirect targets now use <code class="docutils literal notranslate"><span class="pre">is_safe_url</span></code> to
validate the supplied URL.</p>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.3.5 release notes</a><ul>
<li><a class="reference internal" href="#host-header-poisoning">Host header poisoning</a></li>
<li><a class="reference internal" href="#redirect-poisoning">Redirect poisoning</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="1.3.6.html"
                        title="previous chapter">Django 1.3.6 release notes</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="1.3.4.html"
                        title="next chapter">Django 1.3.4 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.3.5.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Jun 03, 2019</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.3.6.html" title="Django 1.3.6 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.3.4.html" title="Django 1.3.4 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>